The hazzle of LE Cert updates

Hey everyone,

I’m fighting LE cert upgrade problems since the early days. I think this is probably related to my VPS sitting behind a NAT (can’t change anything with that, it’s how the provider handles networking).

However nearly all LE updates seem to fail when run in cron. If I run

ee site update --le=renew --all

manually it works but the script stops after every renewals outputting a

{'[email protected]': (451, b'4.3.0 <[email protected]>: Temporary lookup failure')}

But: the update of the cert worked. If I rerun the renewal it skips this site as the update worked.

After all I think the problem isn’t with the renewal but with the way EE scripts work to verify.

Does anyone have a hint how I could work around this problem or fix it?

Thanks, Frank

hmm really no one? I just received the next emails from LE telling me that Certs are expiring even though crons are set.

I can’t see anything on /var/log/ee/ee.log or /var/log/letsencrypt/letsencrypt.log

The latter was last updated in November :confused:

Can you post your cronjob example that fails the auto renewal?

cronjob example? It’s the default cronjob generated by EE

0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine

OK, now just add sudo in front of this command and it should be fine.

really sudo? This in the root crontab and should be run as root. Why sudo?

All EE commands should run under sudo

Why do you say that? When did this change?

Since the beginning I’m aware that all EE commands must be run as root not with sudo. What am I missing?

No, nothing changed. What I meant is it should be run either as root, or if a different user is used with sudo command. Either will do.

1 Like

so then we’re back again without any changes. As the command is already run from the root cron the user rights shouldn’t be an issue.

Any other idea where I might start bugfixing? No one else with this problem?

at least sometimes it looks that the only real problem is that nginx doesn’t get reloaded after renewing the cert and therefore doesn’t use the renewed cert.

Not sure, my issue was the sudo missing in the crontab command, as soon as I added it no more problems since.